If this is really as straightforward as it sounds then I’d consider this the best case scenario. Google could have gone full Apple style lockdown or even just have implemented this flow on a per app basis, but needing to wait 24hr one time to enable unverified app installation isn’t a bad idea from a security perspective. It prevents a bad actor with temporary access from being able to do much while not getting in the way of us power users after the initial 24hr period.

My bigger problem is how Google is leveraging their monopoly to implement this single-handedly and only for themselves. If they had instead gone through AOSP this perhaps could have been implemented in a better way to allow other parties than just Google to be the verifier, and that 24hr waiting period could be applied to any verifier that is not the phone’s default. I’d argue this would be an equally reasonable security measure considering how many scams are out there preying on those who aren’t technologically savvy, yet would maintain transparency.